Cross-Site Request Forgery (CSRF) vulnerability in Julian Weinert // cs&m Hover Image plugin <= 1.4.1 versions.
The Stop Registration Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Centangle-Team plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Additionally, due to insufficient input sanitization and output escaping on cai_name_color parameter, this issue allows to inject arbitrary web scripts in pages, that will execute whenever a user accesses an injected page.
The WP Hallo Welt plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'hallo_welt_seite' function. This makes it possible for unauthenticated attackers to update plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to the insufficient input sanitization and output escaping, this can lead to Stored Cross-Site Scripting.
The SMS for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Like-it plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the likeit_conf() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Pagerank Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the pr_save_settings() function and insufficient input sanitization. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The injected scripts will execute whenever a user accesses the plugin's settings page.
The Visit Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the widgets.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Top Bar Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on th tbn_ajax_add() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The LMB^Box Smileys plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2. This is due to missing or incorrect nonce validation on the manage_page() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The LinkedIn Resume plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.00. This is due to missing or incorrect nonce validation on the linkedinresume_printAdminPage() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The SH Contextual Help plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing or incorrect nonce validation in the sh_contextual_help_dashboard_widget() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS.This issue affects Simple XML Sitemap: from n/a through <= 1.3.
The Side Slide Responsive Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The LockerPress – WordPress Security Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The osTicket WP Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the feed_save function. This makes it possible for unauthenticated attackers to create or modify feed entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Seo Monster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.3. This is due to missing or incorrect nonce validation on the check_integration() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Browser Sniff plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1006. This is due to missing or incorrect nonce validation on the wpr_filter_grid_posts() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Last.fm Recent Album Artwork plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the 'lastfm_albums_artwork.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Latest Post Accordian Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the 'lpaccordian' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.4.2. This is due to missing or incorrect nonce validation on the preview function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. In combination with CVE-2025-7354, it leads to Reflected Cross-Site Scripting.
The Linux Promotional Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'inux-promotional-plugin.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Affiliate Plus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'affiplus_settings' page. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.
The Avishi WP PayPal Payment Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the 'avishi-wp-paypal-payment-button/index.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The weichuncai(WP伪春菜) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the sm-options.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Add User Meta plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the 'add-user-meta' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The LatestCheckins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1. This is due to missing or incorrect nonce validation on the 'LatestCheckins' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
A Cross-Site Request Forgery (CSRF) vulnerability in haotian-liu/llava v1.2.0 (LLaVA-1.6) allows an attacker to upload files with malicious content without authentication or user interaction. The uploaded file is stored in a predictable path, enabling the attacker to execute arbitrary JavaScript code in the context of the victim's browser by visiting the crafted file URL. This can lead to theft of sensitive information, session hijacking, or other actions compromising the security and privacy of the victim.
Cross-Site Request Forgery (CSRF) vulnerability in Page Carbajal Custom Post Status allows Stored XSS.This issue affects Custom Post Status: from n/a through 1.1.0.
The BabelZ WordPress plugin through 1.1.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
Cross-Site Request Forgery (CSRF) vulnerability in Ivan Ovsyannikov Aphorismus allows Stored XSS.This issue affects Aphorismus: from n/a through 1.2.0.
The Ultimate Blogroll plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The BP Profile Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.7.5. This is due to missing or incorrect nonce validation on the bps_ajax_field_selector(), bps_ajax_template_options(), and bps_ajax_field_row() functions. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
The AZIndex WordPress plugin through 0.8.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
The Music Request Manager WordPress plugin through 1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
The dejure.org Vernetzungsfunktion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.97.5. This is due to missing or incorrect nonce validation on the djo_einstellungen_menue() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Cross Site Request Forgery (CSRF) vulnerability in Turms Admin API thru v0.10.0-SNAPSHOT allows attackers to gain escalated privileges.
Cross-Site Request Forgery (CSRF) vulnerability in Alexander Volkov WP Nice Loader allows Stored XSS.This issue affects WP Nice Loader: from n/a through 0.1.0.4.
A Cross-Site Request Forgery (CSRF) vulnerability has been found in SpagoBI v3.5.1 in the user administration panel. An authenticated user can lead another user into executing unwanted actions inside the application they are logged in, like adding, editing or deleting users.
Cross-Site Request Forgery (CSRF) vulnerability in Get Push Monkey LLC Push Monkey Pro – Web Push Notifications and WooCommerce Abandoned Cart allows Cross Site Request Forgery.This issue affects Push Monkey Pro – Web Push Notifications and WooCommerce Abandoned Cart: from n/a through 3.9.
Cross-Site Request Forgery (CSRF) vulnerability in Phoetry phZoom allows Stored XSS.This issue affects phZoom: from n/a through 1.2.92.
Cross-Site Request Forgery (CSRF) vulnerability in Kevin McCabe Kevin's allows Stored XSS.This issue affects Kevin's: from n/a through 2.0.0.
Cross-Site Request Forgery (CSRF) vulnerability in overtrue wp auto top allows Stored XSS.This issue affects wp auto top: from n/a through 2.9.3.
Cross-Site Request Forgery (CSRF) vulnerability in Alberto Reineri Simple Header and Footer allows Stored XSS.This issue affects Simple Header and Footer: from n/a through 1.0.0.
Cross-Site Request Forgery (CSRF) vulnerability in SEO-Küche Internet Marketing GmbH & Co. KG Protect Your Content allows Stored XSS.This issue affects Protect Your Content: from n/a through 1.0.2.
Cross-Site Request Forgery (CSRF) vulnerability in DevriX DX Dark Site allows Stored XSS.This issue affects DX Dark Site: from n/a through 1.0.1.
Cross-Site Request Forgery (CSRF) vulnerability in Navdeep Kumar Wp Login with Ajax allows Stored XSS.This issue affects Wp Login with Ajax: from n/a through 0.6.